Browse archive

Latest news

The CSO perspective on healthcare security and compliance

Jailed hacker designs device to thwart ATM card skimming

U.S. Congress has questions about Google Glass and privacy

Cyber espionage campaign uses professionally-made malware

Form-grabbing rootkit sold on underground forums

Large cyber espionage emanating from India

Over 45% of IT pros snitch on their colleagues

U.S. DOD decides iPhones and iPads can connect to its networks

Digital Government Strategy progress and challenges

Barracuda updates web application firewall

Thoughts on the need for anonymity

IT security jobs: What's in demand and how to meet it

Hacking charge stations for electric cars

Password handling: challenges, costs, and current behavior

by Stephen Cobb - ESET Security Evangelist - Friday, 7 December 2012.

Online passwords are a pain, and not just when you have to type them to access your online bank account or shop at your favorite digital emporium. Password pain extends to the people who have to manage them. A few weeks ago we shared some initial findings from a recent poll of 2,129 U.S. adults (aged 18 and over) conducted for ESET by Harris Interactive.

Consider how people react to a request to change their online password. Here’s how people answered when we asked: If a social media site or online company with whom you have an account requests that you change your password, which of the following would you most likely do?

Always change my password: 31%
Sometimes change my password: 19%
Ignore the request: 18%
Contact company to see if request is genuine: 32%

In other words, a company asking its online account users to change their password can only count on 3 out of 10 them making the change. Half of the requests will either be ignored or, in a reflection of the sad state of online trust, generate some sort of customer service contact seeking verification of the request.

This finding provides a fresh way of looking at the cost of distrust. If a security breach creates a need to request 3 million users to reset their online passwords, you could be looking at 1 million unbudgeted customer service contacts. If you can keep average cost per contact as low as $1 that is still a $1 million bill.

Switching to a user perspective on passwords, I think many of us share the feeling that password changing is burdensome. That burden can mean passwords are not changed as often as they should be to properly protect accounts.

Nevertheless, our survey revealed that some people are making an effort. We asked "How frequently do you change the password for the online account you use most often?" Here's a breakdown of the responses:

About once a year: 46%
About once every 6 months: 31%
At least once a month: 8%
Never: 16%

Of course, when you map those frequencies against the current levels of online attack they might not seem adequate, but frankly they are better than I expected (I would like to research the extent to which some of these changes were due to the online account itself forcing a change, as opposed to the self-motivated diligence of the respondents).